September 11, 2001: A decade on, what business continuity and information security lessons have been learned?
By Thomas Virgona, Ph.D
ABSTRACT: This paper describes research which investigated the impacts of September 11, 2001, on information security and looks at how effective disaster recovery and business continuity prepared to protect information systems were. Despite it being almost a decade since the events reviewed in this paper occurred, many of the lessons are not only current, but have not yet been effectively explored or considered.
The research examined the impact on information systems security on the disaster recovery effort associated with September 11, 2001. Specific areas considered included:
• What happened to the systems that day and how did information systems technologists
The expected outcome of the research will be a better understanding of issues facing information security during major disasters.
Specific findings included:
• One of the major shortcomings in the disaster recovery or continuity of business design was the reliance on humans to ensure that company’s information infrastructure was restored to an operational status.
• Organizations often create elaborate emergency operations plans, but they fail to develop the capability to implement these plans. Disaster plans are important, but they are not enough by themselves to assure preparedness. They can be an illusion of preparedness.
• Informally developed teams are more effective than formal teams.
• Information policies can’t be stopped during a crisis, but they need to be relaxed. Due to the human elements and personal relationships, firms need to realize that information system will be changes in an un‐controlled manner during a disaster. How these changes conflict with existing information security and change control policies presents an issue for firms.
This paper was first published in Continuity Central’s sister publication, the Business Continuity Journal.
•Date: 9th Sept 2011 • Region: US •Type: Article • Topic: Terrorism